CVE-2020-7071

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

References

https://bugs.php.net/bug.php?id=77423

https://www.debian.org/security/2021/dsa-4856

https://security.netapp.com/advisory/ntap-20210312-0005/

https://security.gentoo.org/glsa/202105-23

https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html

https://www.tenable.com/security/tns-2021-14

Details

Source: MITRE

Published: 2021-02-15

Updated: 2021-09-14

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Impact Score: 1.4

Exploitability Score: 3.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
153325EulerOS 2.0 SP2 : php (EulerOS-SA-2021-2423)NessusHuawei Local Security Checks
medium
152986Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)NessusMisc.
high
152348RHEL 7 : rh-php73-php (RHSA-2021:2992)NessusRed Hat Local Security Checks
medium
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
151676Debian DLA-2708-1 : php7.0 - LTS security updateNessusDebian Local Security Checks
critical
151583Ubuntu 16.04 LTS : PHP vulnerabilities (USN-5006-2)NessusUbuntu Local Security Checks
critical
151444Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : PHP vulnerabilities (USN-5006-1)NessusUbuntu Local Security Checks
critical
149163EulerOS 2.0 SP3 : php (EulerOS-SA-2021-1830)NessusHuawei Local Security Checks
medium
147033EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2021-1566)NessusHuawei Local Security Checks
medium
146613Debian DSA-4856-1 : php7.3 - security updateNessusDebian Local Security Checks
medium
145742EulerOS 2.0 SP8 : php (EulerOS-SA-2021-1163)NessusHuawei Local Security Checks
medium
145395openSUSE Security Update : php7 (openSUSE-2021-106)NessusSuSE Local Security Checks
medium
145336openSUSE Security Update : php7 (openSUSE-2021-101)NessusSuSE Local Security Checks
medium
112679PHP 7.3.x < 7.3.26 Input Validation ErrorWeb Application ScanningComponent Vulnerability
medium
112678PHP 7.4.x < 7.4.14 Input Validation ErrorWeb Application ScanningComponent Vulnerability
medium
112677PHP 8.x < 8.0.1 Input Validation ErrorWeb Application ScanningComponent Vulnerability
medium
145141Fedora 32 : php (2021-ca0e53d310)NessusFedora Local Security Checks
medium
145031SUSE SLES12 Security Update : php72 (SUSE-SU-2021:0125-1)NessusSuSE Local Security Checks
medium
145030SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2021:0124-1)NessusSuSE Local Security Checks
medium
145019SUSE SLES12 Security Update : php74 (SUSE-SU-2021:0126-1)NessusSuSE Local Security Checks
medium
144955Fedora 33 : php (2021-8dac5c39f3)NessusFedora Local Security Checks
medium
144947PHP 7.3.x < 7.3.26 / 7.4.x < 7.4.14 / 8.x < 8.0.1 Input Validation ErrorNessusCGI abuses
medium